# sfCSRF plugin
The `sfCSRFPlugin` plugin provides protection against Cross Site Request Forgeries (http://en.wikipedia.org/wiki/Csrf).
This plugin is a backport of a symfony 1.1 native feature.
## Installation
* Install the plugin
symfony plugin-install http://plugins.symfony-project.com/sfCSRFPlugin
* Enable the plugin in `filters.yml` and choose a secret
csrf:
class: sfCSRFFilter
param:
secret: my$ecret
* Clear you cache
symfony cc
### Usage
As soon as you enable the plugin in your `filters.yml` configuration file, you are protected against CSRF attacks.
### How does it work?
The CSRF filter automatically adds a hidden field called `_csrf_token` for every form before the response is sent to the browser. The token value is made of the user `session_id` and the `secret` you have configured in the `filters.yml` file.
When a form is submitted in `POST`, the CSRF filter checks for the token value. If the token is not present or if the value is not the excepted one, the plugin send a `sfException` exception.